Databases might be the least sexy thing in tech. Second to that might be encryption. That isn’t stopping Kalepso, a Montreal, Canada-based encrypted database startup that’s trying to fill in the gaps in an already crowded security space. (No pressure, then.)
Kalepso says it can do better than other database offerings out there by melding strong security with high reliability, while filling in the spots where sensitive data can be accessed or obtained in the clear. Its Harvard-educated founders found that all the existing database services out there are either slow or insecure. The team says Kalepso, its eponymous database system, sits between the database storage and the application, providing several layers of additional security, which they say doesn’t sacrifice speed, security or functionality of the database. The company launched today at Disrupt Berlin on the Startup Battlefield stage.
In other words, you can access your data securely without it leaking — or getting stolen.
Insider threats, check. Data breaches, protected. Chip-level exploits? No problem, said Kalepso co-founder Georgios Depastas. Kalepso says that its database encryption software covers all bases. Kalepso uses differential privacy to allow database analysis without revealing individuals’ data, while oblivious RAM re-scrambles the database after each query to avoid pattern leakages.
Depastas and team said that they’re already using their technology to help one unnamed financial institution — where data security is paramount — switch from a clunky and cumbersome data transfer setup to Kalepso, by intercepting and encrypting data from its runtime environment in real time and feeding it to its storage server. That means the encrypted data can’t be read on the server — either in storage or its memory. But Kalepso’s technology still lets authorized users run analytics on the data set without decrypting the data. “Every time a new query is fired, the data gets dynamically re-encrypted,” said Depastas, referring to its use of oblivious RAM.
But what does Kalepso’s security offer better than the other major players — Oracle’s MySQL, PostgreSQL or MongoDB? Kalepso doesn’t have a punchy nor convincing answer.
The product sounds good in theory, but Kalepso faces an uphill battle for relevance. The database and database security market is busy and competitive, and the startup is fighting against a raft of already established database encryption offerings, from Baffle to in-house providers like Amazon. The database market is huge — and growing, as much as double-digit billions by 2025.
Kalepso has so far struggled to find its voice — instead relying on catchy cartoon videos, and buzzwords like “hack-proof data protection” and “military-grade encryption” — terms that draw ire from the security community for their baseless and unprovable claims.
The company gets points for using existing, tried and tested cryptographic standards to scramble the data, but loses points for offering a security product — another layer of code that hackers can use to attack — that isn’t open source. That means the code is proprietary and could have flaws — or worse, susceptible to backdoors or exploitation. “We haven’t experienced significant pushback to this approach,” said Depastas. That may work for now, but it’s not likely to fly in the wider enterprise market, which relies on extensive testing and auditing rather than trust or blind faith.
Three years of research later, there’s hope for Kalepso’s success. The company has a beta product and a staging area for companies to test the product — but little else to show for it, beyond impossible promises and thoughtless marketing.